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BUSINESS ASSOCIATE AGREEMENT AND SERVICE LEVEL AGREEMENT 


THIS BUSINESS ASSOCIATE AGREEMENT (hereinafter agreement) is between Tennessee 
Department of Health (hereinafter Covered Entity) and Appriss, Inc. CONTRACT 34310-21119 
(hereinafter Business Associate). Covered Entity and Business Associate may be referred to 
herein individually as “Party” or collectively as “Parties.” 

BACKGROUND 

Covered Entity acknowledges that it is subject to the Privacy Rule (45 C.F.R. Parts 160 and 164) 
promulgated by the United States Department of Health and Human Services pursuant to the 
Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191. 

Business Associate acknowledges that effective February 17, 2010, the American 
Recovery and Reinvestment Act of 2009 (Pub. L.111-5), pursuant to Title XIII of Division A 
and Title IV of Division B, entitled the “Health Information Technology for Economic and 
Clinical Health” (HITECH) Act, which modifies the HIPAA Privacy and Security Rules, 
subjects and obligates the Business Associate to protect patient health information to the 
same extent and manner as the Covered Entity under the Privacy Rule (45 C.F.R. Parts 160 
and 164) promulgated by the United States Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 1996 ( HIPAA), 
Public Law 104-191. 45 C.F.R. §§ 164.308,164.310,164.312, and 164.316 shall apply to a 
business associate of a covered entity in the same manner that these sections apply to the 
covered entity. 

In the course of executing Service Contracts, Business Associate may come into contact with, 
use, or disclose Protected Health Information (PHI) (defined in Section 1.7 below). Said Service 
Contracts are hereby incorporated by reference and shall be taken and considered as a part of 
this document the same as if fully set out herein. In accordance with the federal privacy 
regulations set forth at 45 C.F.R. Part 160 and Part 164, Subparts A and E, which require 
Covered Entity to have a written contract with each of its Business Associates, the Parties wish to 
establish satisfactory assurances that Business Associate will appropriately safeguard PHI and, 
therefore, execute this Agreement. 


1. DEFINITIONS 

1.1. Terms used, but not otherwise defined, in this Agreement shall have the same meaning 
as those terms in 45 C.F.R. §§ 160.103, 164.304, 164.501 and 164.504. 

1.2. “Breach” shall mean the unauthorized acquisition, access, use, or disclosure of protected 
health information which compromises the security or privacy of the protected health 
information except where an unauthorized person to whom such information is disclosed 
would not reasonably have been able to retain such information. 42 U.S.C.A. § 17921. 

1.3. “Breach of the security system” under T.C.A. § 47-18-2107 means unauthorized 
acquisition of unencrypted computerized data that materially compromises the security of 
confidentiality or integrity of personal information maintained by the information holder. 

1.4. “Designated Record Set” shall have the meaning set out in its definition at 45 C F R § 
164.501. 

1.5. 'Electronic Health Record” shall have the same meaning as set forth in the HITECH Act; 
“Electronic Protected Health Information” shall have the same meaning as set forth in 45 
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C.F.R. § 160.103, limited to the information that the Business Associate creates, 
receives, maintains, or transmits for or on behalf of the Covered Entity. 

1.6. “Health Care Operations” shall have the meaning set out in its definition at 45 C.F.R. § 
164.501. 

1 . 7 . “Individual” shall have the same meaning as the term “individual” in 45 C.F.R. § 164.501 
and shall include a person who qualifies as a personal representative in accordance with 
45 C.F.R. § 164.502(g). 

1.8. “Information Holder” means any person or business that conducts business in this state, 
or any agency of the state of Tennessee or any of the political subdivisions, that owns or 
stores computerized data that includes personal information. T.C.A. § 47-18-2107(a)(2). 

1.9. “Personal Information” means an individual’s first name or first initial and last name, in 
combination with any one (1) or more of the following data elements, when either the 
name or the data elements are not encrypted: social security number, drivers license 
number, or account number, credit or debit card number; in combination with required 
security code, access code, or password that would permit access to an individual s 
financial account. T.C.A. § 47-18-2107(a)(3)(A) 

1.10. “Privacy Officer” shall have the meaning as set out in its definition at 45 C.F.R. § 
164.530(a)(1). 

1.11. “Privacy Rule” shall mean the Standards for Privacy for Individually Identifiable Health 
Information at 45 C.F.R. Part 160 and Part 164, subparts A and E. 

1.12. “Protected Health Information” shall have the same meaning as the term “protected 
health information” in 45 C.F.R. § 164.501, limited to the information created or received 
by Business Associate from or on behalf of Covered Entity. 

1.13. “Required By Law” shall have the same meaning as the term “required by law” in 45 
C.F.R. §164.501. 

1.14. “Secretary” shall mean the Secretary of the Department of Health and Human Services or 
his/her designee. 

1.15. “Security Event” shall mean an immediately reportable subset of security incidents which 
would include: 

a) a suspected penetration of Business Associate’s information system of which the 
Business Associate becomes aware but for which it is not able to verify within 
FORTY-EIGHT (48) HOURS (of the time the Business Associate became aware of 
the suspected incident) that PHI or other confidential data was not accessed, stolen, 
used, disclosed, modified, or destroyed; 

b) any indication, evidence, or other security documentation that the Business 
Associate’s network resources, including, but not limited to, software, network 
routers, firewalls, database and application servers, intrusion detection systems or 
other security appliances, may have been damaged, modified, taken over by proxy, 
or otherwise compromised, for which Business Associate cannot refute the indication 
within FORTY-EIGHT (48) HOURS of the time the Business Associate became 
aware of such indication; 
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c) a breach of the security of the Business Associate's information system(s)(see 
definition 1.3 above), by unauthorized acquisition, including, but not limited to, access 
to or use, disclosure, modification or destruction, of unencrypted computerized data 
and which incident materially compromises the security, confidentiality, or integrity of 
PHI; and/or 

d) the unauthorized acquisition, including, but not limited to, access to or use, 
disclosure, modification or destruction, of unencrypted PHI or other confidential 
information of the covered Entity by an employee or authorized user of Business 
Associate’s system(s) which materially compromises the security, confidentiality, or 
integrity of PHI or other confidential information of the Covered Entity. 

e) a security incident involving 500 or more patients shall be reported to HHS 
immediately and a security incident involving less than 500 patients shall be reported 
to HHS annually. 

If data acquired (including, but not limited, to access to or use, disclosure, modification or 
destruction of such data) is in encrypted format but the decryption key which would allow 
the decoding of the data is also taken, the parties shall treat the acquisition as a breach 
for purposes of determining appropriate response. 

1.16. “Security Incident” shall mean the attempt or successful unauthorized access, use, 
disclosure, modification, or destruction of information or interference with system 
operations in an information system. 

1.17. “Security Rule” shall mean the Security Standards for the Protection of Electronic 
Protected Health Information” at 45 C.F.R. Parts 160 and 164, Subparts A and C. 

1.18. “Services Agreement” shall mean any present or future agreements, either written or oral, 
between Covered Entity and Business Associate under which Business Associate 
provides services to the covered entity which involves the use or disclosure of Protected 
Health Information. The services Agreement is amended by and incorporates the terms 
of the business associate agreement. 

119. Unsecured Protected Health Information” is protected health information that is not 

rendered unusable, unreadable or indecipherable to unauthorized individuals through the 
use of a technology or methodology specified by the Secretary in the guidance issued 
under 42 U.S.C.A. § 17932(h)(2) decoding of the data is also taken, the parties shall treat 
the acquisition as a breach for purposes of determining appropriate response. 


2. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE (PRIVACY RULE) 

2.1. Business Associate agrees to fully comply with the requirements under the Privacy Rule 
applicable to "business associates," as that term is defined in the Privacy Rule and not 
use or further disclose Protected Health Information other than as permitted or required 
by this Agreement, Service Contracts as required by law. In case of any conflict between 
this Agreement and Service Contracts, this Agreement shall govern. 

2.2. Business Associate agrees to implement administrative, including policies, physical, and 
technical safeguards that reasonably and appropriately protect the confidentiality, 
integrity, and availability of any PHI, including EPHI, that it creates, receives, maintains, 
or that it transmits on behalf of the covered entity to prevent use or disclosure of PHI 
other than as provided for by this Agreement. Said safeguards shall include, but are not 
limited to, requiring employees to agree to use or disclose PHI only as permitted or 
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required by this Agreement and taking related disciplinary actions for inappropriate use or 
disclosure as necessary. 

2.3. Business Associate shall, following a breach of unsecured PHI, as defined in the HITECH 
Act, immediately notify the Covered Entity pursuant to the terms of 45 C.F.R. § 164.410, 
cooperate in the Covered Entity's analysis procedures, including risk assessment, if 
requested. A breach shall be treated as discovered by the Business Associate as of the 
first day on which such breach is known or should have been known or, by exercising 
reasonable diligence, would have been known to Business Associate. Business 
Associate will provide notification to the Covered Entity without unreasonable delay and 
in no event later than twenty-four (24) hours of any suspected or actual breach of 
security, intrusion, or unauthorized use or disclosure. Such notification will contain the 
elements required in 45 C.F.R. § 164.410; and 

2.4. Business Associate shall, pursuant to the HITECH Act and its implementing regulations, 
comply with all additional applicable requirements of the Privacy Rule, including those 
contained in 45 C.F.R. §§ 164.502(e) and 164.504(e)(1 )(ii), at such time as the 
requirements become applicable to Business Associates. Business Associate will not 
accept payment in exchange for PHI, subject to the exceptions contained in the HITECH 
Act, without a valid authorization from the applicable patient/individual. Business 
associate shall not engage in any communication which might be considered marketing 
under the HITECH Act. Further, business Associate shall, pursuant to the HITECH Act 
and its implementing regulations, comply with applicable requirements of the Security 
Rule, contained in 45 C.F.R. §§ 164.308,164.310, 164.312 and 164.316, at such time as 
the requirements are applicable to Business Associates. 

2.5. Business Associate shall within ten (10) days of a written request from the Covered Entity 
and its agents or subcontractors allow the Covered Entity to conduct a reasonable 
inspection of the facility, systems, books, records agreements, policies and procedures 
relating to the use, or disclosure of protected health information pursuant to this 
Agreement for the purpose of monitoring compliance with the terms of this Agreement. 

2.6. Business Associate shall require any agent, including a subcontractor, to whom it 
provides PHI received from, created or received by, Business Associate on behalf of 
Covered Entity or that carries out any duties for the Business Associate involving the use, 
custody, disclosure, creation of, or access to PHI, to agree, by written contract with 
Business Associate, to the same restrictions and conditions that apply through this 
Agreement to Business Associate with respect to such information. 

2.7. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is 
known to Business Associate of a use or disclosure of PHI by Business Associate in 
violation of the requirements of this Agreement. Business Associate agrees to require its 
employees, agents, and subcontractors to immediately report, to Business Associate, any 
use or disclosure of Protected Health Information in violation of this Agreement, and to 
report to Covered Entity any use or disclosure of the PHI not provided by or agreed upon 
in this Agreement. 

2.8. If Business Associate receives PHI from Covered Entity in a Designated Record Set, then 
Business Associate agrees to provide access, at the request of Covered Entity, to PHI in 
a Designated Record Set, to Covered Entity or, as directed by covered Entity, to an 
Individual in order to meet the requirements under 45 C.F.R. § 164.524, provided that 
Business Associate shall have at least thirty (30) days from Covered Entity s notice to 
provide access to, or deliver such information. 

2 9 If Business Associate receives Protected Health Information from Covered Entity in a 
Designated Record Set, then Business Associate agrees to make any amendments to 
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Protected Health Information in a Designated Record Set that the Covered Entity directs 
or agrees to pursuant to the 45 C.F.R. §164.526 at the request of Covered Entity or an 
Individual, and in the time and manner designated by Covered Entity, provided that 
Business Associate shall have at least thirty (30) days from Covered Entity notice to 
make an amendment. 

2.10. Business Associate agrees to make its internal practices, books, and records including 
policies and procedures and Protected Health Information, relating to the use and 
disclosure of PHI received from, created by or received by Business Associate on behalf 
of, Covered Entity available to the Covered Entity or to the Secretary of the United States 
Department of Health in Human Services or the Secretary’s designee, in a time and 
manner designated by the Covered Entity or the Secretary, for purposes of determining 
Covered Entity’s or Business Associate’s compliance with the Privacy Rule. 

2.11. Business Associate agrees to document disclosures of PHI and information related to 
such disclosures as would be required for Covered Entity to respond to a request by an 
Individual for an accounting of disclosure of PHI in accordance with 45 C.F.R. §164.528. 

2.12. Business Associate agrees to provide Covered Entity or an Individual, in time and 
manner designated by Covered Entity, information collected in accordance with this 
Agreement, to permit Covered Entity to respond to a request by an Individual for and 
accounting of disclosures of Protected Health Information in accordance with 45 C.F.R. § 
164.528, provided that Business Associate shall have at least thirty (30) days from 
Covered Entity notice to provide access to, or deliver such information which shall 
include, at minimum, (a) date of the disclosure; (b) name of the third party to whom the 
Protected Health Information was disclosed and, if known, the address of the third party; 
(c) brief description of the disclosed information; and (d) brief explanation of the purpose 
and basis for such disclosure. 

2.13. Business Associate agrees it must limit any use, disclosure, or request for use or 
disclosure of PHI to the minimum amount necessary to accomplish the intended purpose 
of the use, disclosure, or request in accordance with the requirements of the Privacy 
Rule. Business Associate understands and agrees that the definition of “minimum 
necessary" has not been established by HHS guidance and shall keep itself informed of 
guidance issued by the Secretary with respect to what constitutes “minimum necessary.” 

2.14. Business Associate agrees it must use reasonable efforts to limit any use, disclosure, or 
request for use of disclosure of PHI to the minimum amount necessary to accomplish the 
intended purpose of the use, disclosure, or request in accordance with the requirements 
of the Privacy Rule. 

2.15. Covered Entity may, pursuant to the Privacy Rule, reasonably rely on any requested 
disclosure as the minimum necessary for the stated purpose when the information is 
requested by Business Associate. 

2.16. Business Associate acknowledges that if Business Associate is also a covered entity, as 
defined by the Privacy Rule, Business Associate is required, independent of Business 
Associate s obligations under this Agreement, to comply with the Privacy Rule's minimum 
necessary requirements when making any request for PHI from Covered Entity. 

2.17 Business Associate agrees to adequately and properly maintain all Protected Health 

Information received from, or created or received on behalf of, Covered Entity, document 
subsequent uses and disclosures of such information by Business Associate as may be 
deemed necessary and appropriate by the Covered Entity, and provide Covered Entity 
with reasonable access to examine and copy such records and documents during normal 
business hours of Business Associate. 
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2.18. Business Associate agrees that Covered Entity may at any time review Business 
Associate's privacy policies and procedures to determine whether they are consistent 
with Covered Entity's policies, procedures, and privacy practices, and shall promptly 
notify Business Associate in writing regarding any modifications Covered Entity may 
reasonably believe are needed in order to meet Covered Entities requirements. 

2.19. If Business Associate receives a request from an individual for a copy of the individual's 
Protected Health Information, and the Protected Health Information is in the sole 
possession of the Business Associate, Business Associate will provide the requested 
copies to the individual and notify the Covered Entity of such action. If Business 
Associate receives a request for PHI in the possession of the Covered Entity, or receives 
a request to exercise other individual rights as set forth in the Privacy Rule, Business 
Associate shall notify Covered Entity of such request and forward the request to Covered 
Entity. Business Associate shall then assist Covered Entity in responding to the request. 

2.20. Business Associate agrees to fully cooperate in good faith with and to assist Covered 
Entity in complying with the requirements of the Privacy Rule. 


3. OBLIGATIONS AND ACTIVITIES OF BUSINESS ASSOCIATE (Security Rule) 

3 1 Business Associate agrees to fully comply with the requirements under the Security Rule 
applicable to “business associates” as such terms is defined in the Security Rule. In case 
of any conflict between this Agreement and Service Contracts, this agreement shall 
govern. 

3.2. Business Associate Agrees to implement administrative, physical, and technical 
safeguards that reasonably and appropriately protect the confidentiality integrity, and 
availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf 
of the covered entity as required by the Security Rule. This includes specifically, but not 
limited to, the utilization of technology commercially available at the time to the Business 
Associate to protect the Covered Entity’s PHI against any reasonably anticipated threats 
or hazards The Business Associate understands that it has an affirmative duty to 
perform a regular review or assessment of security risks, conduct active risk 
management and supply best efforts to assure that only authorized persons and devices 
access its computing systems and information storage, and that only authorized 
transactions are allowed. The Business Associate will maintain appropriate 
documentation of its compliance with the Security Rule. 

3.3. Business Associate shall ensure that any agent, including a subcontractor, to whom it 
provides electronic PHI received from, maintained, or created for Covered Entity or that 
carries out any duties for the Business Associate involving the use, custody, disclosure, 
creation of, or access to PHI supplied by Covered Entity, shall execute a bilateral contract 
(or the appropriate equivalent if the agent is a government entity) with Business 
Associate, incorporating the same restrictions and conditions in this Agreement with 
Business Associate regarding PHI. 

3 4 Tennessee Consumer Notice of System Breach . Business Associate understands that 
the Covered Entity is an “information holder” (as may be Business Associate) under the 
terms of T.C.A. § 47-18-2107, and that in the event of a breach of the Business 
Associate’s security system as defined by that statute and Definition 1.7 of this 
agreement, the Business Associate shall indemnify and hold the Covered Entity harmless 
for expenses and/or damages related to the breach. Such obligations shall include, but is 
not limited to, the mailed notifications to any Tennessee resident whose personal 
information is reasonably believed to have been acquired by an unauthorized individual. 
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In the event that the Business Associate discovers circumstances requiring notification of 
more than a thousand (1,000) persons at one time, the person shall also notify, without 
unreasonable delay, all consumer reporting agencies and credit bureaus that compile 
and maintain files on consumers on a nationwide basis, as defined by 15 U.S.C. §1681 a, 
of the timing distribution and content of the notices. Substitute notice as defined T.C.A. § 
47-18-2107(e)(2) and (3), shall not be permitted except as approved in writing in advance 
by the Covered Entity. The parties agree that PHI includes data elements in addition to 
those included by “personal information” under T.C.A. § 47-18-2107, and agree that 
Business Associate’s responsibilities under this paragraph shall include all PHI and Pll. 

Reporting of Security Incidents . The Business Associate shall track all security incidents 
as defined by HIPAA. The Business Associate shall reasonably use its own vulnerability 
assessment of damage potential and monitoring to define levels of Security Incidents and 
responses for Business Associate’s operations. However, the Business Associate shall 
expediently notify the Covered Entity’s Privacy Officer of any Security Incident which 
would constitute a Security Event as defined by this Agreement, including any “breach of 
the security of the system" under T.C.A. § 47-18-2107, in a preliminary report within two 
(2) business days of any unauthorized acquisition including, but not limited to, use, 
disclosure, modification, or destruction of PHI by an employee or otherwise authorized 
user of its system of which it becomes aware with a full report of the incident not less 
than five (5) business days of the time it became aware of the incident. 

3.5.1 Business Associate shall identify in writing key contact persons for 

administration, data processing, Marketing, Information Systems and Audit 
Reporting within thirty (30) days of execution of this Agreement. Business 
Associate shall notify Covered Entity of any reduction of in-house staff persons 
during the term of this Agreement in writing within ten (10) business days. 

Contact for Security Event Notice. Notification for the purposes of Sections 2.7, 3.4 and 

3.5 shall be in writing made by certified mail or overnight parcel within two (2) business 
days of the event, with supplemental notification by facsimile and/or telephone as soon 
as practicable, to the designated Privacy Official of the Covered Entity in accordance to 

8.5 Notices and Communications. 

Security Compli ance Review upon Request . Business Associate agrees to make its 
internal practices, books, and records, including policies and procedures relating to the 
security of electronic PHI received from, created by or received by Business Associate on 
behalf of Covered Entity, available to the Covered Entity or to the Secretary of the United 
States Department of Health in Human Services or the Secretary’s designee, in a time 
and manner designated by the requester, for purposes of determining Covered Entity’s or 
Business Associate’s compliance with the Security Rule. 

Cooperation in Secu rity Compliance . Business Associate agrees to fully cooperate in 
good faith and to assist Covered Entity in complying with the requirements of the Security 
Rule. 


4. PERMITTED USES AND DISCLOSURES BY BUSINESS ASSOCIATE 

4.1. Except as otherwise limited in this Agreement, Business Associate may use or disclose 
PHI to perform functions, activities, or services for, or on behalf of, Covered Entity as 
specified in Service Contracts, provided that such use or disclosure would not violate the 
Privacy Rule if done by Covered Entity. 

4.2. Except as otherwise limited in this Agreement, Business Associate may use Protected 
Health Information as required for Business Associate's proper management and 
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administration or to carry out the legal responsibilities of the Business Associate. In the 
event a party to this Agreement receives a subpoena, court order, or other demand for 
the information in this Agreement, the receiving party shall immediately inform the other 
party in writing concerning the demand. 

4.3. Except as otherwise limited in this Agreement, Business Associate may disclose 
Protected Health Information for the proper management and administration of the 
Business Associate, provided that disclosures are required by law, or provided that, if 
Business Associate discloses any Protected Health Information to a third party for such a 
purpose, Business Associate shall enter into a written agreement with such third party 
requiring the third party to; (a) maintain the confidentiality of Protected Health Information 
and not to use or further disclose such information except as Required By Law or for the 
purpose for which it was disclosed, and (b) notify Business Associate of any instances in 
which it becomes aware in which the confidentiality of the Protected Health Information is 
breached. 

4.4. Except as otherwise limited in this Agreement, Business Associate may use Protected 
Health Information to provide Data Aggregation services to Covered Entity as permitted 
by 42 C.F.R. § 164.504(e)(2)(l)(B). 


5. OBLIGATIONS OF COVERED ENTITY 

5.1. Covered Entity shall provide Business Associate with the notice of privacy practices that 
Covered Entity produces in accordance with 45 C.F.R. § 164.520, as well as any 
changes to such notice. 

5 2. Covered Entity shall provide Business Associate with any changes in, or revocation of, 
permission by an Individual to use or disclose Protected Health Information, if such 
changes affect Business Associate’s permitted or required uses. 

5.3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure 
of Protected Health Information that Covered Entity has agreed to in accordance with 45 
C.F.R. § 164.522, to the extent that such restriction may affect Business Associate's use 
of Protected Health Information. 


6. PERMISSIBLE REQUESTS BY COVERED ENTITY 

6.1. Covered Entity shall not request Business Associate to use or disclose Protected Health 
Information in any manner that would not be permissible under the Privacy Rule if done 
by Covered Entity. 


7. TERM AND TERMINATION 

7.1 Term . This Agreement shall be effective as of the date on which it is signed by both 
parties and shall terminate when all of the Protected Health Information provided by 
Covered Entity to Business Associate, or created or received by Business Associate on 
behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible 
to return or destroy Protected Health Information, Section 7.3 below shall apply. 

7.2. Termination for Cause. 
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7.2.1. This Agreement authorizes and Business Associate acknowledges and agrees 
Covered Entity shall have the right to immediately terminate this Agreement and 
Service Contracts in the event Business Associate fails to comply with, or 
violates a material provision of, requirements of the Privacy Rule or this 
Agreement. 

7.2.2. Upon Covered Entity’s knowledge of a material breach by Business Associate, 

7.2.2.1. Covered Entity shall, whenever practicable, provide a reasonable 
opportunity for Business Associate to remedy the breach or end the 
violation. 

7.2.2.2. If Business Associate has breached a material term of this Agreement 
and remedy is not possible or if Business Associate does not remedy a 
curable breach or end the violation within a reasonable time as specified 
by, and at the sole discretion of, Covered Entity, Covered Entity may 
immediately terminate this Agreement and Service Contracts. 

7 . 2 . 2 . 3 . If neither remedy nor termination is feasible, Covered Entity shall report 
the violation to the Secretary of the United States Department of Health 
in Human Services or the Secretary’s designee. 

7.3. Effect of Termination . 

7.3.1. Except as provided in Section 7.3.2 below, upon termination of this Agreement, 
for any reason, Business Associate shall return or destroy all Protected Health 
Information received from Covered Entity, or created or received by Business 
Associate on behalf of, Covered Entity. This provision shall apply to Protected 
Health Information that is in the possession of subcontractors or agents of 
Business Associate. Business Associate shall retain no copies of the Protected 
Health Information. 

7.3.2. In the event that Business Associate determines that returning or destroying the 
Protected Health Information is not feasible, Business Associate shall provide to 
Covered Entity notification of the conditions that make return or destruction 
unfeasible. Upon mutual agreement of the Parties that return or destruction of 
Protected Health Information is unfeasible, Business Associate shall extend the 
protections of this Agreement to such Protected Health Information and limit 
further uses and disclosures of such Protected Health Information to those 
purposes that make the return or destruction unfeasible, for so long as Business 
Associate maintains such Protected Health Information. 


8. MISCELLANEOUS 

81 ■ Regulatory Reference . A reference in this Agreement to a section in the Privacy Rule 
means the section as in effect or as amended. 

8 -2- Amendment. The Parties agree to take such action as is necessary to amend this 
Agreement from time to time as is necessary for Covered Entity to comply with the 
requirements of the Privacy Rule and the Health Insurance Portability and Accountability 
Act, Public Law 104-191. Business Associate and Covered Entity shall comply with any 
amendment to the Privacy Rule, the Health Insurance Portability and Accountability Act, 
Public Law 104-191, and related regulations upon the effective date of such amendment, 
regardless of whether this Agreement has been formally amended. 
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8.3. Survival . The respective rights and obligations of Business Associate under Section 7.3. 
of this agreement shall survive the termination of this Agreement. 

8 . 4 . Interpretation . Any ambiguity in this Agreement shall be resolved in favor of a meaning 
that permits Covered Entity to comply with the Privacy Rule. 

8 5 Notices and Communications . All instructions, notices, consents, demands, or other 

communications required or contemplated by this Agreement shall be in writing and shall 
be delivered by hand, by facsimile transmission, by overnight courier service, or by first 
class mail, postage prepaid, addressed to the respective party at the appropriate 
facsimile number or address as set forth below, or to such other party, facsimile number, 
or address as may be hereafter specified by written notice. 

COVERED ENTITY: 

Tennessee Department of Health 
Timothy Gregory, Privacy Officer 

710 James Robertson Parkway (5 th Floor) Nashville, TN 37243 
Email: Timothv.Greaorv@tn.gov 

Telephone: 615-741-1969 
Fax: 615-253-3926 

Tennessee Department of Health 
Mike Moak, Security Officer 

710 James Robertson Parkway ( 6 th Floor) Nashville, TN 37243 
Email: Mike.Moak@tn.gov 

Telephone: 615-741-0899 
Fax: 615-253-3926 

BUSINESS ASSOCIATE: 

Jacob Cooper, Client Relationship Manager 
Appriss Inc. 

10401 Linn Station Rd Ste 200, Louisville, KY 40223 
jcooper@appriss.com 
Telephone# (502)815-5656 
FAX# (502)815-5696 

All instructions, notices, consents, demands, or other communications shall be 
considered effectively given as of the date of hand delivery; as of the date specified for 
overnight courier service delivery; as of three (3) business days after the date of mailing, 
or on the day the facsimile transmission is received mechanically by the facsimile 
machine at the receiving location and receipt is verbally confirmed by the sender. 

8 . 6 . Strict Compliance . No failure by any Party to insist upon strict compliance with any term 
or provision of this Agreement, to exercise any option, to enforce any right, or to seek any 
remedy upon any default of any other Party shall affect, or constitute a waiver of, any 
Party's right to insist upon such strict compliance, exercise that option, enforce that right, 
or seek that remedy with respect to that default or any prior, contemporaneous, or 
subsequent default. No custom or practice of the Parties at variance with any provision of 
this Agreement shall affect, or constitute a waiver of, any Party’s right to demand strict 
compliance with all provisions of this Agreement. 

8.7. Severability . With respect to any provision of this Agreement finally determined by a court 
of competent jurisdiction to be unenforceable, such court shall have jurisdiction to reform 
such provision so that it is enforceable to the maximum extent permitted by applicable 
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law, and the Parties shall abide by such court's determination. In the event that any 
provision of this Agreement cannot be reformed, such provision shall be deemed to be 
severed from this Agreement, but every other provision of this Agreement shall remain in 
full force and effect. 

8 -8. Governing Law . This Agreement shall be governed by and construed in accordance with 
the laws of the State of Tennessee. 

8.9. Compensation . There shall be no remuneration for performance under this HIPAA 
Business Associate Agreement except as specifically provided by, in, and through, 
contractual relationships referenced herein. 


IN WITNESS WHEREOF, 


TENNESSEE DEPARTMENT OF HEALTH: 



Dreyzehner- BS 


Digitally signed by John J. Dreyzehner - BS 
DN: cn=John J. Dreyzehner - BS, o, ou, 
email=Brandon.C.Silby@tn.gov, c=US 
Date: 2018.11.29 15:47:22 -06'00' 


JOHN J. DREYZEHNER, MD, MPH, FACOEM 


Date 



BUSINESS ASSOCIATE LEGAL ENTITY NAME: 


ESS 


/l^r 



II /ffe 


NAME AND TITLE 


Date 
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